Hackers, Bots, Bluehost, and Me

HackersLast week was the hacker week from hell. First, I got an email notice from my web hosting service, Bluehost: “Your website has been shut down due to violations of the terms of service agreement.” WTF?

Next, I went to my website and discovered, sure enough, it no longer existed. This prompted an international phone call and a conversation with the terms of service folks at Bluehost. They muttered to themselves more than to me as they looked through the files of my account. “It appears you have malware files on your website,” they said. “We’re putting a file in your Bluehost account so you can look at it and identify any malware files. It’s called malware.txt. After you have cleared out the suspicious files we will reinstate your blog.”

Whoa. Malware files? How would I know a malware file from a bien-ware file? And how do I find this file you have put into my Bluehost account? Obviously, I had a lot to learn about a) my Bluehost files, b) malware and hacking, and c) what to do to protect myself in the future.

But, first I wanted my blog back. The Terms of Service people sent me over to Technical Assistance and we looked at the malware.txt file together and established that the problem was a corrupted theme.

So, here is my first piece of advice, do not upload free WordPress themes. You get what you pay for, as they say, and sometimes when you do not pay, you get a lot more than you bargained for.

After deleting all the theme contents, Bluehost activated my blog again. The site was up for three hours, more or less, then I got messages from Facebook friends telling me it was down again. More international phone calls.

This time Technical Assistance told me more than half my WordPress scripts were missing or altered in some way. As the man poked around in my files he advised me to brush up on security. “How comfortable are you with WordPress at this point, would you say?” Not good enough, obviously. “Well,” he said, “I don’t feel good about keeping this website up and running with its current configuration.”

We discussed the options. Not many. Then he uninstalled WordPress, sending my eight-year-old blog, all of its 170 plus posts, comments, photos, and files off into the ozone. As he was doing this he explained the new hackers of today are mostly Bots, a shortened term for robots, or servers, that endlessly probe sites looking for weakness. “They will often change scripts and codes so that visitors to your site are automatically redirected to another site.” Vigara sales or penis enlargement sites came to mind, although the most frequent spammers I see are selling Gucci bags, probably knockoffs. “Any usernames or passwords the Bot collects are gravy for the hackers. They love to get a password because people very often use the same one or similar combinations.”

Then he sent me a couple of emails with security suggestions which I will now share with you.


• First, back up your blog and database on a regular basis. Fortunately I had already done this and it saved my blog from virtually vaporizing. We were able to reinstall WordPress and bring my blog back from the great beyond— with a few fits and starts all the posts, comments, tags, links, and photos were saved to live another day. In the Bluehost C-Panel under “Files” find “Site Backup and Restore Basic.” There you can program Bluehost to backup the site and the database on a regular schedule.

• Install a security plugin to WordPress. The techie mavens at Bluehost suggested Better WP Security. I have installed it, changed all the recommended settings to either blue or green, indicating heightened security. The red links show vulnerability. The nice thing about Better WP Security, they warn you if changing certain settings will interfere with themes. So far it has locked out at least 20 people trying to log on as admin to my account. I am regularly notified by email about updated files and plugins so I can check to make sure I was doing the edits, not someone in, say, St. Petersburg, Russia—nothing against Russians in general, but that’s where the ISP originated that I blocked permanently for abusing login rules.

Akismet, of course. This plugin scans and blocks spammers from posting on the blog. I had this amazing plugin before the mass attack, and over the five years with WordPress, it has blocked some 75,000 spam comments. I call that a working plugin!

• Read about security and the issue. I cannot stress this enough. I learned so much from the Bluehost people and the links they sent. There are sites that will auto-scan your website for malware and it’s free (of course ongoing, increased security is a monthly fee, but a quick scan costs nothing).

Try one of these two:

Clearing House

Stop Bad Ware

Other suggestions Bluehost sent me:

Recommended Themes:

Weaver II

I have Thesis Theme, which is secure and safe. It also costs money.

Recommended Plugins:

All in one Favicon
Better WP Security
Blog Copyright (by BTE)
Google XML Sitemaps
Page Comments Off Please
Send From
Strictly Auto Tags
Sucuri Security – SiteCheck Malware Scanner
TentBlogger 404 Repair
Theme My Login
WordPress SEO by Yoast
WP Smush.it

Increase Speed and Efficiency of WordPress

Occasionally when your site gets a large number of simultaneous visitors the site could appear down due to the overwhelming number of php processes running on the server. There are a couple of ways that you can combat this. You can install a caching plugin, like W3 Total Cache, or Super Cache. I have found these to sometimes slow a WordPress Site down even more, and when I have gone to remove them I have found that I had to rebuild my websites. Another option is to make use of a service like CloudFlare. My sites have access to CloudFlare through my hosting at HostMonster. CloudFlare provides the same type of caching as the caching plugins.

I will add, here, that I signed up for Cloudflare and had all manner of issues with 404 error messages. Not sure what was causing it, but I signed off that service for now.

WordPress like all database driven websites is vulnerable to attack through vulnerabilities in the code. Since WordPress will always have vulnerabilities it is important to keep WordPress, the plugins you use, and themes updated, and your passwords secure. One part of securing a password is to use a strong password (8-12 characters long with at least 1 uppercase letter, lowercase letter, number, and symbol). I have Data Guardian which has a password generator which I can copy and paste. No need for keystrokes for the hacker to follow.

Steps to Secure a Site

Remove files you are not familiar with.
Keep code updated
Remove unused scripts
Monitor file permissions
Hide configuration files
In the php.ini file make the following changes:
Set ‘register_globals’ to Off.
Set ‘display_error’ to 0 or Off. (You might ask, but I found my ‘register_globals’ and ‘display_error’ were already set as recommended. You could ask your web hosting service what their policy is.)

Remember to confirm all user inputs. Items on Forms, in URLS and so on. Remember to make use of access Control. Keep users away from admin areas, and other places they do not need to be.

For this I created a CAPTCHA form for people trying to log in as admin, which is no longer called “admin” but a personalized name. The plugin I use, SI CAPTCHA Anti-Spam, can lock someone out for a time after three attempts. I quit using Si Captcha because the hackers (sigh) changed the code and ultimately blocked me from signing into my own website. Bluehost got me back in, but what a pain. I now use the WordPress CAPTCHA plugin.

Make use of .htaccess to block known bad users, or the IP ranges of countries that you do not want accessing your website. Better WP Security is able to add some black list ips to your .htaccess. You can also make use of some free services create code for the .htaccess file to block access to certain countries. This may be useful if you see attacks coming mostly from certain countries and you do not need traffic from those countries this can be a useful tool to protect your site.

Actually, Better WP Security plugin does this for you. Once they send you a notice of abuse, you can copy the ISP and put it on a Ban Users list. I know the hackers like to move around and we cannot foil them 100% of the time, but I’m working on it!

Screen Shot 2013-02-17 at 3.44.28 PM

I cannot say enough good things about the people at Bluehost. They were polite, helpful, and did not treat me like the complete idiot I am sure they thought I was. If you are looking for a web hosting service for your website, look no further. Bluehost is the one.

So, I hope some or all of this helps you. I am so grateful for a wonderful team over at Bluehost, and that I had the sense to back up my files and database. I do keep all my posts in my Scrivener project titled Blog Posts, but the idea of reposting 170 plus posts was daunting.

Bottom line: Back it up! Lock it down!

Photos credit: Hackers Release Data-Stealing Program to Push Google to Plug Holes …phandroid.com